Low Down and Dirty: Anti-forensic Rootkits darrenbilby_blackhat_v0.9_JP06.ppt Author Ping Look...
Transcript of Low Down and Dirty: Anti-forensic Rootkits darrenbilby_blackhat_v0.9_JP06.ppt Author Ping Look...
Copyright Security-Assessment.com2006
Low Down and Dirty:Anti-forensic Rootkits
Presented by Darren BilbyBlackhat Japan 2006
Copyright Security-Assessment.com2006
• Anti-forensics Overview• Digital Forensics Acquisition• The Live Imaging Process• How Live Forensics Tools Work• DDefy Introduction• NTFS Basics• DDefy Disk Forensics Demonstration• DDefy Challenges• DDefy Memory Forensics Demonstration• Better Methods for Live Imaging
Agenda
Copyright Security-Assessment.com2006
This is Not…• A demonstration of 0day rootkit techniques
This is …
• Showing flaws in current and proposed forensictechniques
• Showing how evidence could be manipulated andpeople wrongly convicted through bad forensicmethodologies
Copyright Security-Assessment.com2006
Anti-Forensics Methods• Data Contraception
– Prevent evidence data from existing somewhere thatcan be analyzed
– E.g. Memory only malware, memory only exploitation
• Data Hiding– Put the data on disk but put it somewhere the
forensic analyst is unlikely to look– E.g. Defilers toolkit, runefs,
Copyright Security-Assessment.com2006
Anti-Forensics Overview• Data Destruction
– Destroy any evidence before someone gets a chanceto find it
– E.g. Disk wiping, wipe, srm, evidence eliminator,necrofile
• Data Misdirection– Provide the forensic analyst false data that is
indistinguishable from the real thing– No public examples… until now.
Copyright Security-Assessment.com2006
Digital Forensics Acquisition• Need to gather an evidential copy of a system
• The Aim– Gather the “best” evidence available
• Gather volatile information– memory, process list, network connections, open
files…
• Power off machine and image disk
Copyright Security-Assessment.com2006
Digital Forensics Acquisition• What really happens…
• Two Competing Aims– Gather the “best” evidence available– Allow the system to continue operation in an
unhindered manner
• Results in “Live Imaging”– Taking a copy of a system while that system is still
functioning in a live environment
Copyright Security-Assessment.com2006
Reasons for “Live Imaging”• Business critical systems that cannot be shut
down
• Shutting down systems may create legal liabilityfor examiners through:– damaging equipment– unintentional data loss– hampering operations
• Judge instructs that evidence gathering must beconducted using the least intrusive methodsavailable
• Encrypted volumes
Copyright Security-Assessment.com2006
Digital Forensics AcquisitionLive imaging is now common practice
• Tools– Helix (dd/netcat)– Prodiscover IR– Encase EEE/FIM– FTK– Smart– …
Copyright Security-Assessment.com2006
Live Imaging Demonstration• Helix Open Source Forensics CD
– Contains many forensics tools– http://www.e-fense.com/helix/
• Windows Forensic Toolchest– Collect live data including Memory– http://www.foolmoon.net/security/wft/
• DD– Used by WFT & Helix to collect Memory and Disk– http://users.erols.com/gmgarner/forensics/
Copyright Security-Assessment.com2006
Live Imaging Demonstration• Files hidden by rootkits can be found in the
forensic disk image– Sleuthkit / Autopsy / Pyflag
• Processes hidden by rootkits can be found in theforensic memory image– Ptfinder
Copyright Security-Assessment.com2006
The Live Imaging Process
Trusted
Un-trusted
Un-trusted
Trusted
Un-trusted
Trusted?
Copyright Security-Assessment.com2006
The Live Imaging Process
Trusted
Trusted
Trusted
Trusted
Un-trusted
Trusted?
Easy Solution…Add Encryption
• Encase– SAFE public key
encryptionarchitecture
• DD– Cryptcat
• Prodiscover IR– Twofish
Encryption
Copyright Security-Assessment.com2006
What Happens When You Read a File?1. Readfile() called on File1.txt
offset 02. Transition to Kernel mode3. NtReadFile() processed4. I/O Subsystem called5. I/O Request Packet (IRP)
generated
6. Data at File1.txt offset 0requested from ntfs.sys
7. Data at D: offset 2138231requested from dmio.sys
8. Data at disk 2 offset 139488571requested from disk.sys
I/O Manager
Application
File System Driver
(ntfs .sys , … )
Disk Driver ( disk .sys )
Volume manager disk driver
( ftdisk .sys , dmio .sys )
Disk Array
Readfile ()
( Win32 API )
NtReadfile ()
(Kernel 32 .dll )
Kernel Mode
User Mode
Int 2E
(Ntdll .dll )
Call NtReadFile ()
( Ntoskrnl .exe )
KiSystemService
( Ntoskrnl .exe )
Initiate I /O Operation
( driver .sys )
1 32
Disk port driver
Disk miniport driver
1
2
3
56
7
8
4
Copyright Security-Assessment.com2006
How do the Live Forensics Tools Work?Read special device object files
• \\.\PhysicalMemory– Contains what is in physical memory– Only sees memory it can access safely– Changes as it is read
• \\.\PhysicalDriveX– The raw data on the disk– Ignores software cache– Could change as it is read
Copyright Security-Assessment.com2006
How do the Live Forensics Tools Work?
Kernel Mode
User Mode
I/O Manager
File System Driver
(ntfs.sys, …)
Volume manager disk driver
(ftdisk.sys, dmio.sys)
Disk Array
Readfile()
(Win32 API)
Initiate I/O Operation
(driver.sys)
1 32
dd.exe NtReadfile()
(Kernel32.dll)Int 2E (Ntdll.dll)
KiSystemService(Ntoskrnl.exe)Call NtReadFile()
(Ntoskrnl.exe)
Disk Driver (disk.sys)
Disk port driver (atapi, scsiport.sys)
Disk miniport driver
Copyright Security-Assessment.com2006
How do the Live Forensics Tools Work?
• All tested live forensics tools utilize this method– DD (GM Garner)– FTK Imager– Prodiscover IR
• Example live imaging command
psexec \\target –u Administrator –p password dd.exeif=\\.\PhysicalDrive0of=\\mymachine\share$\target.drive0.dd bs=8k conv=noerror
Copyright Security-Assessment.com2006
How do the Live Forensics Tools Work?
Aim: Get an accurate low level copy of disk andmemory.
Good Things about Live Forensics Tools:
• Bypass standard rootkit techniques so a hacker can’t hidetheir files
• Bypass major parts of the Windows driver stack including theFile System Driver and Volume Manager Driver
Copyright Security-Assessment.com2006
DDefy: The Idea• Live forensics tools trust a bad kernel to give
them clean data
• Lets create a rootkit that hooks below the forensictools
• Provide the forensic tool a valid but “cleansed”version of the system
• Implement as low as we can get while still beingpractical
• Implement instead of claiming theory
Copyright Security-Assessment.com2006
DDefy: The ChallengeFrom Live forensics tool documentation:
Q. Can't a rootkit be written to avoid detection?
A. While it is theoretically possible to create a rootkit to alterthe lower level disk sector read command, it would beextremely difficult and would require significantinformation about the specific machine being rooted.Any attempt to determine which sectors contain the data therootkit is trying to hide would need to keep track of virtuallythe complete disk data structure on the system to keep thenormal operation of the system from overwriting the files. Ifthe cracker tried to mark a section of disk "bad" to preventthe system from altering the hidden files, it would no longerbe available to read using the rooted disk sector commands.We believe it is impractical to create this low levelrootkit.
Copyright Security-Assessment.com2006
DDefy: Implementation• The Aim: When someone does live forensics on
my system they should get a valid image, but notmy sensitive data.
• Proof of concept for 2K/XP/2k3• Kernel mode Rootkit
• Upper Disk Filter Driver• Intercepts IRP_MJ_READ I/O Request Packets
sent to the disk and modifies the return data
Copyright Security-Assessment.com2006
DDefy Disk Forensics Demo
Disk Capture with DDefy.wmvDisk Analysis with DDefy.wmv
Copyright Security-Assessment.com2006
DDefy: Results• Any data that is stored on the physical disk can be
hidden from a live forensics or detection tool
• There is no way to completely prevent this
• Live forensic imaging is still a useful tool– but it needs to be used with full knowledge of the
limitations
• Image the disk offline whenever possible
Copyright Security-Assessment.com2006
DDefy: Challenges1. Where do we intercept? (hook)
2. How do we understand the file system without afile system?
3. How do we ensure we give our investigator avalid image?
4. How do we avoid detection?
Copyright Security-Assessment.com2006
Kernel Mode
User Mode
I/O Manager
File System Driver
(ntfs.sys, …)
Volume manager disk driver
(ftdisk.sys, dmio.sys)
Disk Array
Readfile()
(Win32 API)
Initiate I/O Operation
(driver.sys)
1 32
dd.exe NtReadfile()
(Kernel32.dll)Int 2E (Ntdll.dll)
KiSystemService(Ntoskrnl.exe)Call NtReadFile()
(Ntoskrnl.exe)
Disk Driver (disk.sys)
Disk port driver (atapi, scsiport.sys)
Disk miniport driver
Public Userland (Ring 3) Rootkits• Binary replacement
eg modified Exe orDll
• Binary modificationin memory egHe4Hook
• User land hooking egHacker Defender– IAT hooking
Copyright Security-Assessment.com2006
Kernel Mode
User Mode
I/O Manager
File System Driver
(ntfs.sys , …)
Volume manager disk driver
(ftdisk.sys, dmio.sys)
Disk Array
Readfile ()
(Win 32 API)
Initiate I /O Operation
(driver .sys )
1 32
dd .exe NtReadfile ()
(Kernel32.dll )Int 2E (Ntdll.dll )
KiSystemService(Ntoskrnl .exe)Call NtReadFile()
(Ntoskrnl .exe)
Disk Driver (disk.sys)
Disk port driver (atapi, scsiport .sys )
Disk miniport driver
Kernel (Ring 0) Rootkits• Kernel SDT Hooking
E.g. NtRootkit
• Driver replacementE.g. replace ntfs.syswith ntfss.sys
• Direct Kernel ObjectManipulation –DKOME.g. Fu, FuTo
Copyright Security-Assessment.com2006
Kernel Mode
User Mode
I/O Manager
File System Driver
(ntfs.sys, …)
Volume manager disk driver
(ftdisk.sys, dmio.sys)
Disk Array
Readfile()
(Win32 API)
Initiate I/O Operation
(driver.sys)
1 32
dd.exe NtReadfile()
(Kernel32.dll)Int 2E (Ntdll.dll)
KiSystemService(Ntoskrnl.exe)Call NtReadFile()
(Ntoskrnl.exe)
Disk Driver (disk.sys)
Disk port driver (atapi, scsiport.sys)
Disk miniport driver
Kernel (Ring 0) Rootkits• IO Request Packet
(IRP) Hooking– IRP Dispatch Table
E.g. He4Hook (someversions)
• Disk Firmware• BIOS?
Copyright Security-Assessment.com2006
Kernel Mode
User Mode
I/O Manager
File System Driver
(ntfs.sys, …)
Volume manager disk driver
(ftdisk.sys, dmio.sys)
Disk Array
Readfile()
(Win32 API)
Initiate I/O Operation
(driver.sys)
1 32
dd.exe NtReadfile()
(Kernel32.dll)Int 2E (Ntdll.dll)
KiSystemService(Ntoskrnl.exe)Call NtReadFile()
(Ntoskrnl.exe)
Disk Driver (disk.sys)
Disk port driver (atapi, scsiport.sys)
Disk miniport driver
Kernel (Ring 0) Rootkits• Filter Drivers
– The officialMicrosoft method
• Types– File system filter– Volume filter– Disk Filter– Bus Filter
E.g. Clandestine FileSystem Driver (CFSD)
Copyright Security-Assessment.com2006
• Wherever we want
• The Windows driver model leaves us a lot of scope
• Personally I like disk filter drivers or IRP hooks because– a) They are simple to implement– b) They’re not detected by most rootkit detectors
DDefy: Where Do We Intercept?
Copyright Security-Assessment.com2006
Kernel Mode
User Mode
I/O Manager
File System Driver
(ntfs.sys , …)
Volume manager disk driver
(ftdisk.sys, dmio.sys)
Disk Array
Readfile ()
(Win 32 API)
Initiate I /O Operation
(driver .sys )
1 32
Ddefy Disk Filter Driver
(ddefy.sys )
Forensic Acquisition
Application NtReadfile ()
(Kernel32.dll)Int 2E (Ntdll.dll )
KiSystemService(Ntoskrnl . exe)Call NtReadFile()
(Ntoskrnl .exe)
Disk Driver (disk.sys)
Disk port driver (atapi, scsiport .sys )
Disk miniport driver
Request X bytes at disk relative offset Y
Return sanitized data
DDefy: Where We Hook
Copyright Security-Assessment.com2006
How Do We Understand the File System?• NTFS is my target• Easy thanks to recent publications (File System
Forensics – B. Carrier)
• Ask the operating system to give us most of theinformation anyway
• We could do this ourselves, but I assume ntfs.sysis a better NTFS interpreter than I am
Copyright Security-Assessment.com2006
How Do We Understand the File System?Boot Sector
Master File Table
File1.txt
File2.txt
ROOT
File3.mpg
Windows
Cluster Area
Index – File1.txt, File2.txt, File3.mpg
This is the file1.txt contents
This is the file2.txt contents
Cluster Pointers – 334,336
Index – win.ini, win.dat …..
1
5
4
3
2
File3.mpg contents 1 334
File3.mpg contents 1 336
Program Files Index – Accessories, Common Files...6
Copyright Security-Assessment.com2006
How Do We Understand the File System?
• To completely hide a file from \\.\PhysicalDrive0with DDefy we have to fake:
– Directory Entry (Index)– Master File Table (MFT) Entry– MFT Data (for small files)– Data in Clusters (for larger files)
Copyright Security-Assessment.com2006
DDefy: The Process
Kernel Mode
User Mode
DeviceIOControl ()
(Win32 API)
Ddefy Disk Filter Driver
(ddefy.sys )
Ddefy Client 1. Determine drive info and NTFS characteristics for partition
2. Determine Filename and Directory entry position on disk
3. Determine clusters containing file data and their position on disk
4. HideData(Disk 0, Offset A , Length B , replace with Nulls )
5. HideData(Disk 0, Offset C , Length D , replace with “fakefile . txt”)
6. Monitor for file changes and update
Copyright Security-Assessment.com2006
Avoiding Detection• This is all irrelevant if the forensic analyst finds
“hacker.exe” running in memory
• So how does the forensics guy get his processlisting? Network connections etc?
• \\.\PhysicalMemory
• Can we clean this up with some kernelmodifications?
Copyright Security-Assessment.com2006
DDefy: Memory Interception• Standard rootkit SSDT hook on
NtMapViewofSection for all accesses to\\.\PhysicalMemory
• Modifies process and thread list
• Could be implemented using ShadowWalkertechnique (Sparks & Butler)
Copyright Security-Assessment.com2006
DDefy: Copying Memory
Kernel Mode
User Mode
MapViewofFile ()
(Win 32 API)
View of Memory
DDMapViewofFile ()
(Kernel32.dll)Int 2E (Ntdll .dll)
KiSystemService
(Ntoskrnl .exe )Call NtMapViewofSection ()(Ntoskrnl .exe)
1 2
3
4
Copyright Security-Assessment.com2006
DDefy: Manipulating Memory
Kernel Mode
User Mode
MapViewofSection ()
(Win 32 API)
View of Memory
DDMapViewofSection ()
(Kernel32.dll)Int 2E (Ntdll .dll)
KiSystemService
(Ntoskrnl .exe )
Call NtMapViewofSection ()
(Ntoskrnl .exe)
Call DDefyMapSection ()(Ntoskrnl .exe)
Modified Copy of Memory
1 2
34
Copyright Security-Assessment.com2006
DDefy Memory Forensics Demo
Mem Capture with DDefy.wmvMem Analysis with DDefy.wmv
Copyright Security-Assessment.com2006
DDefy Memory Interception• Detectable
– Ongoing rootkit detection arms race
• Doesn’t hide– Memory mapped files– Memory paged to disk
Copyright Security-Assessment.com2006
A Better Way of Acquiring Disk Data• Method
– Install IRP hook– Communicate
directly with IRPhook
– Encryptcommunications
– Confirm user landmatches kernelland
• Challenges– Stability– OS Specific
Kernel Mode
User Mode
I/O Manager
File System Driver
(ntfs.sys , …)
Volume manager disk driver(ftdisk .sys, dmio.sys)
Disk Array
Readfile ()
(Win 32 API)
Initiate I /O Operation
(driver .sys )
1 32
Ddefy Disk Filter Driver(ddefy.sys )
Forensic Acquisition
Application
NtReadfile ()
(Kernel 32.dll)Int 2E (Ntdll .dll)
KiSystemService
(Ntoskrnl .exe )Call NtReadFile()(Ntoskrnl .exe)
Disk Driver (disk .sys)
Disk port driver (atapi, scsiport .sys )
Disk miniport driver
IRP Hook
Copyright Security-Assessment.com2006
What it Means• Live forensic imaging is a broken concept
• Data gathered via live imaging cannot be trusted
• Manipulation of evidence is both possible andprobable
• However, live imaging is still useful if combinedwith the right knowledge
Copyright Security-Assessment.com2006
Future Work• Defeating cross view rootkit detection tools in a
generic way
• Implementation of an open source imaging tool todefeat these anti-forensic techniques
Copyright Security-Assessment.com2006
Questions ?
http://www.security-assessment.com
Copyright Security-Assessment.com2006
Resources• Windows System Internals 4th Edition– D. Solomon, M.
Russinovich• Rootkits – G. Hoglund, J. Butler• Shadow Walker – Phrack 63• Primary Windows Rootkit Resource
http://www.rootkit.com• Joanna Rutkowska – Stealth Malware Detection
http://www.invisiblethings.org• Windows Driver Development Resource
http://www.osronline.com